In researching my previous article on websites that are doing password resets wrong, I tested the Password Reset function of a number of high-profile sites. I did this using an email address which I knew didn’t have an account on each particular website.
When testing Zoom.us however, I observed something quite strange….
I entered the email address of an account I knew didn’t exist on zoom, ticked the “I’m not a robot” box, and clicked “Send”. I then received a generic response on screen that (correctly) didn’t disclose whether the email address I entered belonged to a valid zoom account:
You’ve got mail!
Imagine my surprise though a few moments later to receive an email from zoom. This was despite the email address I’d used not being a valid zoom account! The email had the subject “Zoom password reset confirmation”, and read as follows:
I’ve never encountered a website sending unsolicited email during a Password Reset process before!
Given that the email also included a “Click to unsubscribe” button, I’d potentially been unwittingly subscribed to a mailing list too!
Whilst Zoom’s password reset function is protected by a “Captcha”, I was non-the less able to initiate a dozen or so password requests within the space of a minute to the same non-zoom related email address. This was as simple as clicking the “try again” link on screen, ticking the “I’m not a robot” box and clicking “Send” again. Each time I did this, I subsequently received an email identical to the one above in my inbox:
This means that a malicious attacker can cause Zoom to flood a victim’s inbox with a high volume of “Zoom password reset confirmation” emails in a short space of time and with minimal effort – even if the target doesn’t have a Zoom account.
Attempting to unsubscribe
Incidentally, I also tried following the “Unsubscribe” link in one of these emails. This took me to a web page which presented me with the following options (partly in Chinese!):
I chose the “I don’t want to receive such email anymore” option, clicked “Confirm” and received confirmation that I’d been unsubscribed:
Thinking that doing do may then prevent further unsolicited email arriving from zoom’s Password Reset process, I initiated another password reset request for my non-existent zoom account, and immediately received another “Zoom password reset confirmation” email.
So this confirms that a malicious attacker with a spare bit of time can can cause Zoom to flood a victim’s inbox with dozens of “Zoom password reset confirmation” emails, even if they don’t have a Zoom account. As there are no “flood” control implemented by Zoom, and the unsubscribe function seemingly doesn’t work, the victim can’t do anything to stop receiving these unsolicited “spam” emails from zoom.
Having responsibly disclosed these issues to zoom’s security team, their view is:
We’ve reviewed the behavior you have reported. However, while this may not be ideal, the use of CAPTCHA controls on this form means that in order for an attacker to use this behavior to flood a victim’s inbox with unwanted emails they must repeatedly complete the process by hand, requiring a large amount of time and effort on the attacker’s behalf. CAPTCHA controls are a recognized mitigation against these types of attacks, and there are a large number of alternative methods an attacker may use to send spam to their victim which are both automated and require little interaction. Therefore, we don’t believe that this behavior is likely to be exploited by an attacker. In addition, while the “Click to unsubscribe” link in the email does not prevent password reset emails from being delivered to the victim, we don’t believe this behavior poses a security risk at this time due to the amount of user interaction required to take advantage of this behavior.Zoom security team
What are your thoughts?
Should zoom be using their password reset function to “spam” their service out to non-users of zoom? More importantly, should zoom be respecting requests to unsubscribe from unwanted and unsolicited communications? …and should they not at least be implementing some form of “flood” control to limit the rate at which they send password reset emails?
Also, do you know of any other services using their password reset functionality to “promote” their service/products to non-users/members?
Let me know in the comments!